Security Engineer

Project Overview

In this contract role, you will be at the forefront of protecting the products and services that millions of our members trust every day. You will support a key security initiative by embedding security into our development lifecycle and proactively defending against emerging threats. You will have a direct impact on our security posture by identifying and triaging vulnerabilities and by partnering with engineers to provide actionable, code-level recommendations for remediation.

This project is an opportunity to work at scale in a fast-paced environment that values collaboration and proactive security. The focus of this engagement is to solve complex security puzzles, protect the company from real-world threats, and meaningfully improve the safety and trust of our members.

What You'll Do

• Triage and validate vulnerabilities from our suite of security tools, including Data Loss Prevention (DLP), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Open-Source Software (OSS) scanning.

• Work closely with development teams to communicate findings, provide clear remediation guidance, including specific recommendations for code fixes, and ensure timely resolutions.

• Proactively identify patterns and tune security tooling to improve our signal-to-noise ratio and reduce false positives.

• Develop scripts and automation to streamline repetitive tasks and scale our vulnerability management processes.

• Use ticketing systems to manage the end-to-end vulnerability lifecycle, from discovery to remediation.

Required Skills & Experience

• Experience in an application security, product security, and/or vulnerability management role.

• Hands-on experience operating and interpreting results from security tools, including Data Loss Prevention (DLP), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST).

• Proven ability to triage security vulnerabilities and distinguish between true and false positives.

• Strong understanding of secure coding practices and the ability to recommend specific code changes to fix vulnerabilities.

• Proficiency in a scripting language (e.g., Python, Go, Bash) for automation.

• Excellent communication skills, with a proven ability to explain complex security issues to developers.

• Experience refining and tuning the rules and policies of security tools.

• Experience with ticketing systems (e.g., JIRA, ServiceNow, Azure DevOps) for vulnerability tracking and remediation management.

• Strong understanding of common web application vulnerabilities (e.g., OWASP Top 10).

• Familiarity with CI/CD pipelines and securing the Software Development Life Cycle (SDLC) is beneficial.

• Proficiency in Scala, Java, or Typescript is also beneficial.

• A Bachelor’s or Master's degree in a related field or relevant security certifications (e.g., GIAC, OSCP) are a plus.

This contractor will be responsible for the following deliverables to enhance the security posture of our platform.

Vulnerability Triage and Validation:

• Triage and validate security vulnerabilities identified by the company's suite of security tools, including Data Loss Prevention (DLP), Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Open-Source Software (OSS) scanning.

• Distinguish between true and false positives to ensure engineering effort is focused on actual threats.

Remediation and Engineering Partnership:

• Communicate findings and provide clear, actionable remediation guidance to development teams.

• Deliver specific, code-level recommendations to engineers for fixing vulnerabilities.

• Manage the end-to-end vulnerability lifecycle using ticketing systems (e.g., JIRA, ServiceNow) to track progress from discovery through to confirmed remediation.

Process Automation and Tooling Enhancement:

• Develop scripts and automation tools to streamline repetitive tasks and scale the vulnerability management process.

• Proactively identify patterns in security findings and tune security tooling to reduce false positives and improve the signal-to-noise ratio.